Share this story

More than 2,000 websites—some operated by Fortune 500 companies, game sites, and retail outlets—are exposing system status information that can be used by attackers to compromise Web servers or customer accounts, a recent research project found.

The pages display the number of processes running on a Web server, the status of various Web requests, and other data that can be invaluable to site administrators. But the same data—which can also include the full URL they're visiting—can also be helpful to attackers who want to compromise the customers or users visiting the site. Site admins have long been admonished to keep those pages from being visible to the outside world unless they have a good reason for doing otherwise and have thought through the decision carefully.

HD Moore, who is CSO of Rapid7 and chief architect of the Metasploit penetration testing software framework, spent 45 minutes retracing Cid's steps. Using a shell script he cobbled together, he found 1,774 of the top Alexa 100,000 websites exposed status pages through either the HTTP or SSL protocols. At least six of them exposed URLs with easily visible cleartext user names or passwords. Another dozen or so contained what appeared to be session IDs that are used to grant access to restricted parts of a website.

"[Session] ID's are bad, but cleartext passwords are worse, and in some cases these are passwords that would normally be sent over SSL," Moore told Ars. "But the server-status is leaking them back in cleartext. That's pretty awful."

In fairness to some of the administrators whose sites were identified by Cid, the exposure of the Apache status page is sometimes a conscious decision. As long as the security of a site has been designed from the ground up to account for this decision and there's a good reason for making the page publicly accessible, the site is probably OK. But it's unclear why anyone outside of Cisco Systems or Mexican ISP Axtel would need that information.